Experiencing a Security Breach?

24 Hour Hotline: +1 (866) 659-9097 Option 5

General

+1 (312) 873-7500

Monday - Friday 8:00 AM - 6:00 PM CT (UTC -6)

Sales

Contact a Trustwave solution specialist.

+1 (888) 878-7817

Monday - Friday 8:30 AM - 5:30 PM CT (UTC -6)

Loading...

Blogs & Stories

SpiderLabs Blog

Attracting more than a half-million annual readers, this is the security community's go-to destination for technical breakdowns of the latest threats, critical vulnerability disclosures and cutting-edge research.

In a previous blog post, we discussed the common lifecycle of web server botnet recruitment. While installing perl IRC botnet scripts is a common tactic for post-exploitation, it is by no means the only method used to interact with or control compromised websites. This blog post will outline how attacker utilize webshell/backdoor webpages and the audit log file often left behind.

The "f" parameter is the file that the attacker is now viewing through this webshell. As you can see, the attacker is able to inspect the wp-config.php file contents which disclose sensitive data such as the DB username and passwords. This type of data leakage could potentially lead to deeper compromise. Other examples of actions include:

Attackers can even edit existing files to try and remove their tracks from logs. This screenshot shows an example of editing the Apache access_log file:

Webshell Usage Logging

While reviewing these webshell files, we found that many include audit logging as part of the backdoor. For example, let's look at the source of that thumbid.php script again:

This section of PHP code creates audit audit log file called "x.txt" in the document root directory of the website and it logs all interactions by web clients with this webshell. Here are some examples that SpiderLabs has obtained which shows past commands used.

This particular attacker executed many commands as you can see. The most notable of which was to download and run this program -

The "confspy.pl" script will search home directories for users and attempt to steal their FTP credentials. Knowing that a tool like this has been run on your system widens the scope of compromise and would require your users to change all passwords to help prevent the attacker from re-gaining access even if you were to patch the original Timthumb attack vector.

Takeaways

After analyzing these types of webshell backdoors for quite some time, it is clear that the majority of these attackers are simply re-using webshells written by others. They simply modify the page TITLE or color scheme to take some cosmetic ownership of the code. This is one of the main reasons why this audit logging code persists in these webshells. In addition to the more common audit log name of "x.txt" you should also look for "logx.txt" as that has been see quite frequently as well. Hopefully this information will help you if you find that your website has been compromised and you are trying to identify what actions the attacker executed.